Incidents should be classified into different categories, from the least to the most pressing. By ordering incidents according to their risks and impacts, organisations are able to better decide the corresponding security protocols needed to respond to them. We are all aware that one cannot and should not respond to a critical incident with the resources meant for low-risk incidents – such mismatch is a failure in response and may flag a need for the organisation to review the suitability and robustness of their Risk Management Framework.
“Organisations should take a systematic approach to create structured processes and protocols to effectively respond to incidents. Such is called Risk Management or Crisis Management.
All responses to potential incidents and accidents are to be tested, observed and evaluated to ensure their effectiveness.
Enough said, let’s deep dive into the 4 main categories of incidents classification: Standard Incident, Routine Emergency, Major Incident and Crisis.
Standard Incidents are generally predictable and relatively easier to manage with pre-planned response measures. With that said, when they emerge, how and what their consequences may be, can vary largely from organisation to organisation. Hence, there is no one-size-fits-all approach to manage it.
Standard incidents are commonly identified through risk assessments or situations where the risks are clearly and widely recognised. With timely and effective incident management protocols in place and proper Standard Operating Procedures (SOPs) routinely checked and tested, standard incidents can be brought under control.
Whether it is a disruptive event that occurred in short-notice or one that emerged from gradual failures, such incidents can be classified as a routine emergency. Recognising the early signs of problems is critical to curbing and managing routine emergencies. While there are protocols in place to manage routine emergencies, they typically take a longer time than standard incidents to be brought under control or to resume business.
Multiple solutions are usually required to manage these routine emergencies. The solutions should be tested at least biannually during drills and operational readiness exercises to ensure everyone is clear on what to do. It is most preferred to have the Business Continuity and Crisis Management Team within the organisation to helm the drills.
More often than not, major incidents are unique, rare or unforeseen problems that arise from poorly managed risks. Major incidents create exceptional challenges for organisations because they are not easily managed by pre-planned responses. Due to their surprise nature – emerging from accidents that have been overlooked or have suddenly escalated – these incidents are beyond an organisation’s control and can lead to long-term consequences and a long recovery period.
Organisations cannot rely solely on their crisis management team to resolve these incidents. Collaboration with other industry or corporate security partners and agencies are critical in offering strategic solutions to manage the confusion, fear and risks involved.
Finally, incidents classified under ‘Crisis’ are the most dynamic and unpredictable. A crisis has the potential to single-handedly destroy the existence of an organisation. Crisis often comes with many multiple other parallel incidents and risks which can leave the organisation at a loss of what to do.
Many organisations attempt to prevent crises from happening by having various risk control measures in place but that is insufficient. There has to be sustained efforts and committed resources (capital, manpower and time) to watch out for crises and pre-empt them. Managing and identifying crises is everyone’s responsibility – no one department or individual should be the only owner.
The most common pitfalls leading to crises are denial and complacency. Individuals should be encouraged to exercise vigilance, creativity and be willing to step up beyond their usual scope of work to mitigate crises or take part in Risk & Crisis Management brainstorming sessions.